Description
Title
Remote Code Execution (RCE) in SoyCMS
Summary
Severity: High
SoyCMS 3.0.2 and earlier is affected by Remote Code Execution (RCE) using Unrestricted File Upload. Cross-Site Scripting(XSS) vulnerability that was reported earlier can be chained in order to perform a successful remote code execution by redirecting the administrator to load a specially crafted webpage.
Impact: XSS to RCE via Inquiry Error and Unrestricted File Upload
- Attack vector is: Administrator must be logged in.
- Components are: File Manager
- Tested SoyCMS Version : 3.0.2 (latest)
- Affected SoyCMS Version : ~3.0.2
Found by @stypr from Vulnerability Research Team in Flatt Security Inc.
Full Exploit Video: https://youtu.be/FWIDFNXmr9g
Cause
The file upload feature in FileManager is using elFinder. However, it was found out that mimetype can be fooled to upload a PHP file. There is no feature in elFinder to check the file type so it needs to be manually implemented.
soycms/cms/soycms/js/elfinder/php/connector.php
Lines 143 to 159 in 34e066d
soycms/cms/soycms/js/elfinder/php/connector.php-change2
Lines 188 to 215 in 4375940
Remediation
Please add a file extension check from accessControl.